<!DOCTYPE html>
<html lang="zh-CN">





<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="/img/apple-touch-icon.png">
  <link rel="icon" type="image/png" href="/img/favicon.png">
  <meta name="viewport"
        content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
  <meta name="description" content="安全行业从业者，主要方向PC逆向附带安卓和Linux逆向，时不时喜欢写点BUG代码">
  <meta name="author" content="Cray">
  <meta name="keywords" content="">
  <title>H-WORM变种远控分析 ~ 逆向安全博客</title>

  <link rel="stylesheet" href="https://cdn.staticfile.org/font-awesome/5.12.1/css/all.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/twitter-bootstrap/4.4.1/css/bootstrap.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/mdbootstrap/4.13.0/css/mdb.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/github-markdown-css/3.0.1/github-markdown.min.css"  >

<link rel="stylesheet" href="//at.alicdn.com/t/font_1067060_qzomjdt8bmp.css">



  <link rel="stylesheet" href="/lib/prettify/tomorrow.min.css"  >

<link rel="stylesheet" href="/css/main.css"  >


  <link rel="stylesheet" href="https://cdn.staticfile.org/fancybox/3.5.7/jquery.fancybox.min.css"  >


<meta name="generator" content="Hexo 5.2.0"></head>


<body>
  <header style="height: 70vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">


    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/">首页</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/archives/">归档</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/tags/">标签</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/links/">友链</a>
          </li>
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" data-toggle="modal" data-target="#modalSearch">&nbsp;&nbsp;<i
                class="iconfont icon-search"></i>&nbsp;&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="view intro-2" id="background" false
      style="background: url('https://dc.snscz.com/s2/img/1200/2019/04/01/14/14004_4c746d4df0.jpg') no-repeat center center;
      background-size: cover;">
    
        <div class="full-bg-img">
        <div class="mask rgba-black-light flex-center">
          <div class="container text-center white-text fadeInUp">
            <span class="h2" id="subtitle">
              
                H-WORM变种远控分析
              
            </span>

            
              <br>
              

              <p>
                
                  
                  &nbsp;<i class="far fa-chart-bar"></i>
                  <span class="post-count">
                    1k 字
                  </span>&nbsp;
                

                
                  
                  &nbsp;<i class="far fa-clock"></i>
                  <span class="post-count">
                      3 分钟
                  </span>&nbsp;
                

                
                  <!-- 不蒜子统计文章PV -->
                  
                  &nbsp;<i class="far fa-eye" aria-hidden="true"></i>&nbsp;
                  <span id="busuanzi_container_page_pv">
                    <span id="busuanzi_value_page_pv"></span> 次
                  </span>&nbsp;
                
              </p>
            
          </div>

          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      

<div class="container-fluid">
  <div class="row">
    <div class="d-none d-lg-block col-lg-2"></div>
    <div class="col-lg-8 nopadding-md">
      <div class="py-5 z-depth-3" id="board">
        <div class="post-content mx-auto" id="post">
          <div class="markdown-body">
            <h2 id="基本信息"><a href="#基本信息" class="headerlink" title="基本信息"></a>基本信息</h2><table>
<thead>
<tr>
<th>FileName</th>
<th>FileType</th>
<th>MD5</th>
<th>Size</th>
</tr>
</thead>
<tbody><tr>
<td>4gdrwceq60b7dbl.sct</td>
<td>rat</td>
<td>69B7D326575C5616D82645960B3D081A</td>
<td>403845 bytes</td>
</tr>
</tbody></table>
<h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>该样本语言类型为 VBS和JS编写，在一定程序上能躲避安全软件的查杀，通过不同混淆更容易达到免杀的效果。</p>
<h2 id="流程图"><a href="#流程图" class="headerlink" title="流程图"></a>流程图</h2><p><img src="https://img-blog.csdnimg.cn/20190916190802115.png" srcset="/img/loading.gif" alt="在这里插入图片描述"></p>
<h2 id="详细分析"><a href="#详细分析" class="headerlink" title="详细分析"></a>详细分析</h2><p>这个样本母体总共会释放3个脚本</p>
<h3 id="脚本1"><a href="#脚本1" class="headerlink" title="脚本1"></a>脚本1</h3><p>首先我们看看<code>4gdrwceq60b7dbl.sct</code>，这个样本的母体，是一个sct格式的文件这是Visual FoxPro的表单配置文件<br>我们用<code>Sublimi Text</code>来打开它，记事本也是可以的。</p>
<p><img src="https://img-blog.csdnimg.cn/20190916155338357.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>利用组数来存关键字符串，通过字符串的拼接来合成完整路径<br>会尝试删除<code>%APPDATA%\\taskmgr.js</code>  这个文件<br><img src="https://img-blog.csdnimg.cn/20190916155609819.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br><img src="https://img-blog.csdnimg.cn/20190916160236624.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>文件中有很长一段密文，这里我改名为了<code>EncodeList</code>，通过<code>System.IO.MemoryStream.WriteByte()</code>方法把数据读入数据流中。<br>最重要的是使用<code>ADODB.Stream</code>类方法把这个数据流保存到了被上面删除掉的<code>%APPDATA%\\taskmgr.js</code>文件中<br><img src="https://img-blog.csdnimg.cn/20190916155832544.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>最后使用<code>WScript.Shell.Run</code>方法运行<code>taskmgr.js</code>文件</p>
<p>我这里使Python给他拿出来，命名为<code>taskmgr.js</code><br><img src="https://img-blog.csdnimg.cn/20190916161513776.png" srcset="/img/loading.gif" alt="在这里插入图片描述"></p>
<h3 id="脚本2"><a href="#脚本2" class="headerlink" title="脚本2"></a>脚本2</h3><p>下面是<code>taskmgr.js</code> ，这个脚本其实还是一个解密脚本，也是 使用<code>AdoDB.Stream</code>处理数据流，然后使用<code>monKeyKing</code>中动态生成的eval方法去执行数据，来达到免杀<br><img src="https://img-blog.csdnimg.cn/20190916162014581.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>通过一个<code>Microsoft.XmlDom</code>的创建一个<code>tmp</code>对象，然后把这个对象赋予<code>eval</code>方法<br>最后就可以用<code>this.p</code>去访问到<code>Microsoft.XmlDom.tmp</code>，来达到命令执行<br><img src="https://img-blog.csdnimg.cn/20190916162041325.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>当然执行的命令也肯定是被加过密的，下面就是解密数据部分，这里就简单的把base64后的结果，然后把字符”A”替换成”!-%”<br><img src="https://img-blog.csdnimg.cn/20190916163628179.png" srcset="/img/loading.gif" alt="在这里插入图片描述"></p>
<p>最后使用上面构造的<code>eval</code>去执行这段解密的代码<br><img src="https://img-blog.csdnimg.cn/2019091616391031.png" srcset="/img/loading.gif" alt="在这里插入图片描述"></p>
<h3 id="脚本3-核心代码"><a href="#脚本3-核心代码" class="headerlink" title="脚本3 核心代码"></a>脚本3 核心代码</h3><p>这里开始分析脚本2中解密出来的代码</p>
<p>根据这host，port和代码量，可以判断出这个应该就是这个样本的实现核心的地方了。<br>这里其实这是一个远控加感染U盘传播</p>
<h4 id="U盘传播"><a href="#U盘传播" class="headerlink" title="U盘传播"></a>U盘传播</h4><p><img src="https://img-blog.csdnimg.cn/20190916165932567.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>加入开机启动注册表项，来达到持久化攻击，这基本已是木马的共性<br><img src="https://img-blog.csdnimg.cn/20190916170039587.png" srcset="/img/loading.gif" alt="在这里插入图片描述"></p>
<p>在下面的try块中，有一个install函数会被循环调用，这个函数是用来检测感染移动存储设备的<br><img src="https://img-blog.csdnimg.cn/20190916170300961.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>install() 会去判断当前系统磁盘是否有U盘或其他移动存储介质，有的话就执行感染操作<br><img src="https://img-blog.csdnimg.cn/20190916170657111.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>枚举移动盘文件<br><img src="https://img-blog.csdnimg.cn/20190916171010711.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>如果文件不是快捷方式，那就将权限改为<strong>隐藏</strong>和<strong>系统权限</strong>，然后给他们创建一个同名<code>.lnk</code>的快捷方式<br><img src="https://img-blog.csdnimg.cn/20190916171254264.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>快捷方式被修改为了特殊构造的恶意代码，构造过程如下<br><img src="https://img-blog.csdnimg.cn/20190916171656803.png" srcset="/img/loading.gif" alt="在这里插入图片描述"><br>这样每个文件都会被隐藏，然后生成一个被感染的快捷方式去诱惑其他人点击，只要一点击，就会被感染。</p>
<h4 id="远控模块"><a href="#远控模块" class="headerlink" title="远控模块"></a>远控模块</h4><p>这个远控一共有<code>26</code>个命令模块，分别是<br>|命令  |含义  |<br>|–|–|<br>|disconnect|   断开连接 |<br>|reboot|   重启脚本 |<br>|shutdown| 关闭脚本 |<br>|excecute| 执行命令  |<br>|install-sdk|  安装SDK |<br>|get-pass|搜集密码  |<br>|get-pass-offline|  获取浏览器密码|<br>|update|    更新|<br>|uninstall| 卸载|<br>|up-n-exec| 请求下载执行文件|<br>|bring-log| 上传日志|<br>|down-n-exec|  下载执行文件 |<br>|filemanager|   文件管理|<br>|rdp|  启动RDP |<br>|keylogger| 启动kleylogger|<br>|offline-keylogger| 启动离线版kerlogger|<br>|browse-logs|   上传日志|<br>|cmd-shell| 执行cmd命令|<br>|get-processes| 枚举进程|<br>|disable-uac|   关闭UAC|<br>|check-eligible|    检测权限|<br>|force-eligible| 暴力提权   |<br>|elevate|  普通提权 |<br>|if-elevate|   检测权限 |<br>|kill-process| 结束进程 |<br>|sleep| 挂起进程|</p>
<p>这个程序会释放一个脚本到%appdata%下去，命名为<code>aFCnKVCdfY.js</code><br><img src="https://img-blog.csdnimg.cn/20190916164502275.png" srcset="/img/loading.gif" alt="在这里插入图片描述"></p>
<h3 id="脚本4"><a href="#脚本4" class="headerlink" title="脚本4"></a>脚本4</h3><p>aFCnKVCdfY.js这个和脚本三是一样的，除了域名变了，其他都没变化。</p>
<p><img src="https://img-blog.csdnimg.cn/20190916174051698.png" srcset="/img/loading.gif" alt="在这里插入图片描述"></p>
<h2 id="样本溯源"><a href="#样本溯源" class="headerlink" title="样本溯源"></a>样本溯源</h2><p><strong>C&amp;C</strong><br>unknownsoft.duckdns.org:7744<br>globalization.duckdns.org:50071</p>
<h2 id="查杀方案"><a href="#查杀方案" class="headerlink" title="查杀方案"></a>查杀方案</h2><p>删除自启动表项<br>HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\scriptName<br>HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\scriptName</p>
<p>删除<br>%appdata%\aFCnKVCdfY.js<br>%temp%\aFCnKVCdfY.js<br>%APPDATA%\taskmgr.js </p>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>谨防不明来路的邮件，网页 文件要谨慎，要对未知文件表示怀疑，切勿怀着试一试的态度打开</p>

            <hr>
          </div>
          <br>
          <div>
            <p>
            
              <span>
                <i class="iconfont icon-inbox"></i>
                
                  <a class="hover-with-bg" href="/categories/%E6%A0%B7%E6%9C%AC%E8%AF%A6%E7%BB%86%E5%88%86%E6%9E%90/">样本详细分析</a>
                  &nbsp;
                
              </span>&nbsp;&nbsp;
            
            
              <span>
                <i class="iconfont icon-tag"></i>
                
                  <a class="hover-with-bg" href="/tags/Rat-H-worm/">Rat H-worm</a>
                
              </span>
            
            </p>
            
              <p class="note note-warning">本博客所有文章除特别声明外，均采用 <a target="_blank" href="https://zh.wikipedia.org/wiki/Wikipedia:CC_BY-SA_3.0%E5%8D%8F%E8%AE%AE%E6%96%87%E6%9C%AC" rel="nofollow noopener noopener">CC BY-SA 3.0协议</a> 。转载请注明出处！</p>
            
          </div>
        </div>
      </div>
    </div>
    
      <div class="d-none d-lg-block col-lg-2 toc-container">
        <div id="toc">
  <p class="h5"><i class="far fa-list-alt"></i>&nbsp;目录</p>
  <div id="tocbot"></div>
</div>
      </div>
    
  </div>
</div>

<!-- custom -->


<!-- Comments -->
<div class="col-lg-7 mx-auto nopadding-md">
  <div class="container comments mx-auto" id="comments">
    
      <br><br>
      
      
  <div class="disqus" style="width:100%">
    <div id="disqus_thread"></div>
    <script>
      var disqus_config = function () {
        this.page.url = 'http://cve.gitee.io/cve/2019/09/04/H-WORM变种远控分析/';
        this.page.identifier = '/2019/09/04/H-WORM变种远控分析/';
      };
      var oldLoad = window.onload;
      window.onload = function () {
        var d = document, s = d.createElement('script');
        s.type = 'text/javascript';
        s.src = '//' + 'crayon-1' + '.disqus.com/embed.js';
        s.setAttribute('data-timestamp', +new Date());
        (d.head || d.body).appendChild(s);
      };
    </script>
    <noscript>Please enable JavaScript to view the <a target="_blank" href="https://disqus.com/?ref_noscript" rel="nofollow noopener noopener">comments
        powered by Disqus.</a></noscript>
  </div>


    
  </div>
</div>

    
  </main>

  
    <a class="z-depth-1" id="scroll-top-button" href="#" role="button">
      <i class="fa fa-chevron-up scroll-top-arrow" aria-hidden="true"></i>
    </a>
  

  
    <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
  

  <footer class="mt-5">
  <div class="text-center py-3">
    <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><b>Hexo</b></a>
    <i class="iconfont icon-love"></i>
    <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"> <b>Fluid</b></a>
    <br>

    
  
    <!-- 不蒜子统计PV -->
    
    &nbsp;<span id="busuanzi_container_site_pv"></span>总访问量 
          <span id="busuanzi_value_site_pv"></span> 次&nbsp;
  
  
    <!-- 不蒜子统计UV -->
    
    &nbsp;<span id="busuanzi_container_site_uv"></span>总访客数 
            <span id="busuanzi_value_site_uv"></span> 人&nbsp;
  
  <br>



    


    <!-- cnzz Analytics icon -->
    

  </div>
</footer>

<!-- SCRIPTS -->
<script src="https://cdn.staticfile.org/jquery/3.4.1/jquery.min.js" ></script>
<script src="https://cdn.staticfile.org/popper.js/1.16.1/umd/popper.min.js" ></script>
<script src="https://cdn.staticfile.org/twitter-bootstrap/4.4.1/js/bootstrap.min.js" ></script>
<script src="https://cdn.staticfile.org/mdbootstrap/4.13.0/js/mdb.min.js" ></script>
<script src="/js/main.js" ></script>


  <script src="/js/lazyload.js" ></script>



  
  <script src="https://cdn.staticfile.org/tocbot/4.10.0/tocbot.min.js" ></script>
  <script>
    $(document).ready(function () {
      var navHeight = $('#navbar').height();
      var toc = $('#toc');
      var main = $('main');
      var tocT = navHeight + (toc.offset().top - main.offset().top);
      var tocLimMin = main.offset().top - navHeight;
      var tocLimMax = $('#comments').offset().top - navHeight;
      $(window).scroll(function () {
        var scroH = document.body.scrollTop + document.documentElement.scrollTop;
        if (tocLimMin <= scroH && scroH <= tocLimMax) {
          toc.css({
            'display': 'block',
            'position': 'fixed',
            'top': tocT,
          });
        } else if (scroH <= tocLimMin) {
          toc.css({
            'position': '',
            'top': '',
          });
        } else if (scroH > tocLimMax) {
          toc.css('display', 'none');
        }
      });
      tocbot.init({
        tocSelector: '#tocbot',
        contentSelector: '.post-content',
        headingSelector: 'h1,h2,h3,h4,h5,h6',
        linkClass: 'tocbot-link',
        activeLinkClass: 'tocbot-active-link',
        listClass: 'tocbot-list',
        isCollapsedClass: 'tocbot-is-collapsed',
        collapsibleClass: 'tocbot-is-collapsible',
        scrollSmooth: true,
      });
      if ($('.toc-list-item').length > 0) {
        $('#toc > p').css('visibility', 'visible');
      }
    });
  </script>







  <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" ></script>


<!-- Plugins -->



  <script src="https://cdn.staticfile.org/prettify/188.0.0/prettify.min.js" ></script>
  <script>
    $(document).ready(function () {
      $('pre').addClass('prettyprint  linenums');
      prettyPrint();
    })
  </script>





  <script src="https://cdn.staticfile.org/anchor-js/4.2.2/anchor.min.js" ></script>
  <script>
    anchors.options = {
      placement: "right",
      visible: "hover",
      
    };
    var el = "h1,h2,h3,h4,h5,h6".split(",");
    var res = [];
    for (item of el) {
      res.push(".markdown-body > " + item)
    }
    anchors.add(res.join(", "))
  </script>



  <script src="/js/local-search.js" ></script>
  <script>
    var path = "/local-search.xml";
    var inputArea = document.querySelector("#local-search-input");
    inputArea.onclick = function () {
      getSearchFile(path);
      this.onclick = null
    }
  </script>



  <script src="https://cdn.staticfile.org/fancybox/3.5.7/jquery.fancybox.min.js" ></script>
  <script>
    $("#post img:not(.no-zoom img, img[no-zoom])").each(
      function () {
        var element = document.createElement("a");
        $(element).attr("data-fancybox", "images");
        $(element).attr("href", $(this).attr("src"));
        $(this).wrap(element);
      }
    );
  </script>












</body>
</html>
